The Data Act applies to:
a) manufacturers of connected products placed on the market in the EU and providers of related services, irrespective of the place of establishment of those manufacturers and providers;
(b) users in the EU of connected products or related services as referred to in point (a);
(c) data holders, irrespective of their place of establishment, that make data available to data recipients in the EU;
(d) data recipients in the EU to whom data are made available;
(e) public sector bodies, the Commission, the European Central Bank and EU bodies that request data holders to make data available where there is an exceptional need for those data for the performance of a specific task carried out in the public interest and to the data holders that provide those data in response to such request;
(f) providers of data processing services, irrespective of their place of establishment, providing such services to customers in the EU;
(g) participants in data spaces and vendors of applications using smart contracts and persons whose trade, business or profession involves the deployment of smart contracts for others in the context of executing an agreement.

The Data Act defines “services” primarily in relation to connected products and data processing services. Specifically, the types of services covered include:

Related Services: These are services that are connected to a product in such a way that the product cannot perform one or more of its functions without them, or services added to enhance or adapt the product’s functionality.

Aftermarket service providers: Refer to entities that offer services using data generated by connected products or related services after the initial sale or deployment of those products. These services can include:

• Repair and maintenance services for connected products (e.g., fixing smart home devices, servicing connected vehicles).

• Performance optimization (e.g., tuning machinery or vehicles based on usage data).

• Usage-based insurance or other data-driven financial services.

• Fleet management or asset tracking services.

• Predictive maintenance based on real-time or historical product data.

Data Processing Services: These are services that allow data to be processed using computing resources, including:

• Cloud services
• Edge computing
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)
• Software as a Service (SaaS)

These services are subject to obligations under the Data Act if they are made available in the Union, regardless of where the service provider is established.

This is not an exhaustive list. Any service that involves the use, provision, or processing of data from connected products or related services, or that facilitates access to or sharing of such data, may fall within the scope of the Data Act.

A legal representative is a natural or legal person established in the European Union who is explicitly designated by a non-EU entity to act on its behalf for the purpose of compliance with the Data Act.

A legal representative is mandated by an entity to be addressed in addition to or instead of it by competent authorities with regard to all issues related to that entity.

The legal representative cooperates with and comprehensively demonstrates to the competent authorities, upon request, the actions taken and provisions put in place by the entity to ensure compliance with the Data Act.

Additionally, the legal representative must provide all necessary information to verify the entity’s compliance with the Regulation.

Member States are responsible for establishing and enforcing penalties for infringements of the Regulation.

Member States may consider the factors when establishing penalties:

• Nature, gravity, scale, and duration of the infringement;
• Mitigating or remedial actions taken;
• Previous infringements;
• Financial gain or avoided losses from the breach;
• Aggravating or mitigating circumstances;
• Annual turnover in the Union.